Calls, scripts and more, playing with ADB

Branimir Valentic | 05.03.2019.

Control Android phones via Intents and ADB shellThis post will contain a set of ADB commands but is by no means a finished topic, ADB seams like a huge topic and I will just update this post as I learn more, I hope you will find something useful on this page, also if you have any similar usefull tips please share.

Setting up ADB

Enable Developer mode by tapping 7 times on “Settings”-”AboutPhone”-”Build Number” .Turn on USB debugging by going to the main settings page – “Developer Options” – “USB Debugging”-For Windows:Download “SDK Tools Only” from Android SDK download pageUnzip the tools, it will contain ADB and other utilities.Connect the android devices via USB, and state that you want to add keys on Android pop-up screen. Open cmd window in the folder with tools and test with following command:adb devicesIf device is not listed in output you will need to install device drivers.

-For Linux:

Connect to ADB via wireless network

Make sure that the devices are connected to the wireless network.

Find out the network’s IP range by finding out your IP, on linux you can useifconfig or ip address show commands and find IP on the needed interface.

Check out the device IP-s with nmap, example:

nmap 192.168.5.0/24 -sP

after you get the list of devices on this network search for ones tagged android-somecodes-lan and take note of the IP addresses.

Restart adb in TCP mode, port 5555(for each device separately)

adb tcpip 5555

Connect to ADB device

adb connect DeviceIP:5555

Start shell:

adb -s DeviceIP:5555 shell

Run Commands without logging in to shell:

adb -s DeviceIP:5555 shell COMMAND_AS_IN_TERMINAL

Turn on screen:

input keyevent 26

Unlock:

input keyevent 82

Transfer Files

Download and extract the ADB files on your PC:1. Open a command prompt in the ADB folder by right clicking on the mouse in the empty space of the folder while holding the Shift key.2. Now to pull any file from your device, you need to know its path. Once you know the path of the file, enter the following command to pull the file.adb pull For instance, let’s pull the Settings.apk which is located in the /System/app/ folder on your device.adb pull /system/app/Settings.apk3. The file will be pulled and saved in the ADB folder itself and you can see the transfer rate in the command prompt.

4. Pulling any file from the device is easy but pushing files to the device needs permissions. You can push any file to the internal or external SD card without any issue, but when you’re pushing it to the System partitions you might get this error:

5. So you need to mount the file system as Read-Write rather than Read-only, so execute the following commands one-by-one to mount the system writable:

adb shellsumount -o remount,rw /system

6. Your device might prompt for root permissions when you type SU, grant them. You will get the following output if everything went right.:

7. Once you are done making changes, you should remount with the original Read-Only.mount -o remount,ro /system8. To push a file to the device, just type the following command:adb pushFor instance:adb push Settings.apk /system/apps/9. If the file is pushed correctly to your device, you’ll get the similar output on the command prompt:

So you now know how to push and pull files using the ADB commands. These commands are important yet simple, aren’t they?

Make Calls

adb -s shell am start -a android.intent.action.CALL -d tel:555-5555

You can see this in the logcat:Starting: Intent { act=android.intent.action.CALL dat=tel:xxx-xxx-xxxx }am start -a android.intent.action.CALL -d tel:0919194136

Some devices:

/system/bin/radiooptions

On some Android devices, there exists an executable:/system/bin/radiooptions

If you run it, the help dislplays:Usage: radiooptions [option] [extra_socket_args]

Auto Answer:get the following property on far end to auto answer the incoming call in 2 seconds

adb shell setprop persist.sys.tel.autoanswer.ms 2000

To turn off auto answer:

adb shell setprop persist.sys.tel.autoanswer.ms 0

End Call

adb shell input keyevent 6

Send SMS

Check what SMS service you are using with:

service list | grep sms

Output example:5 isms: [com.android.internal.telephony.ISms]

If you see isms in the response, the steps you need to take are:from: send-sms-via-adb-shell-service-call-isms-android-4-1-2

You can see com.android.internal.telephony.Isms, so on this link choose your android version, then open : com -> android -> internal -> telephony -> Isms.javaFor the rest I will take the android 4.4.2 file (link).On the line 742 we have :static final int TRANSACTION_sendText = (android.os.IBinder.FIRST_CALL_TRANSACTION + 4);FIRST_CALL_TRANSACTION is equal to 1. So our option to send a sms is the number 5 (1 + 4). Above in the doc we can find (with ctrl + f) “Send an SMS.” On the line just after the bloc we have :public void sendText [some_stuff] callingPkg [again] destinationAddress […] scAddress [ …] parts […] sentIntents [final_stuff] deliveryIntents […]I’m gonna explain quickly :callingPkg : the name of the package that will send your sms (I explain how to find it later)destinationAdress : the phone number of the message recipientscAddress : your smsc (explained after)parts : your message !sendIntends and deliveryIntents : you don’t care-> Find your package name : Explore your app file or download Package Name Viewer on google play, find your message application and copy the name (com.android…)-> Find your smsc : In your application -> settings -> SMSC or Service Center or Message Center etc, copy the number display (DON’T CHANGE IT)Just before finishing, in “services” the strings are declared by s16 and integers with i32.So for my example we have :callingPkg : com.android.mmstarget number : +01234567890SMSC : +01000000000My text : Hello world !sendIntends and deliveryIntents we don’t care so we put 0 to set it to default value.Finally :adb shell service call isms 5 s16 “com.android.mms” s16 “+01234567890” s16 “+01000000000” s16 “Hello world !” i32 0 i32 0-> An example in a batch file :The send.bat :echo offset num=%1shiftfor /f “tokens=1,* delims= ” %%a in (“%*”) do set ALL_BUT_FIRST=%%becho %ALL_BUT_FIRST%adb shell service call isms 5 s16 “com.android.mms” s16 “%num%” s16 “+01000000000” s16 “%ALL_BUT_FIRST%” i32 0 i32 0run with :send.bat +01234567890 Hey you !Now tell me if it works with your android version 🙂Edit : Corrected with information given by Alex P.

Record Screen

adb shell screenrecord

Capture Screenshots

adb shell screencap adb shell screencap /sdcard/1.png

Log

Logcat is a tool that allows you to view system messages

you can run adb logcat to acces logcat ( you can exit with “Ctrl+c”)or you can use more options to get just the details you need: